dependency-check-gradle icon indicating copy to clipboard operation
dependency-check-gradle copied to clipboard

Published 20 hours ago verified publisher icon dependency-check

When suppressing sub-project for :dependencyCheckAggregate, only sha1 works reliably

Open w33v1l opened this issue 5 years ago • 2 comments

A sub-project in my Gradle multi-project build is triggering a false positive. If the jar file for the sub project has previously been built, then a gav or packageUrl suppression prevents the false positive. If the jar does not exist in the build directory, then only an sha1 suppression works, which would need frequent maintenance during on-going development.

I am running the build using Gradle 6.6 on AdoptOpenJDK build 1.8.0_265-b01

Example build:

settings.gradle:

rootProject.name = 'foo'
include("not-elasticsearch")

build.gradle:

buildscript {
  repositories { mavenCentral() }
  dependencies { classpath 'org.owasp:dependency-check-gradle:6.0.2' }
}

plugins { id 'java-library' }

allprojects {
  apply plugin: 'org.owasp.dependencycheck'
  apply plugin: 'java-library'
  group 'org.example'
  version '1.0-SNAPSHOT'
}

repositories { mavenCentral() }

dependencies { compile(project(":not-elasticsearch")) }

dependencyCheck {
  failBuildOnCVSS = 4.0f
  suppressionFile = file("suppressions.xml")
}

suppressions.xml:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
   <suppress>
      <packageUrl regex="true">^pkg:maven/org\.example/not\-elasticsearch@.*$</packageUrl>
      <cpe>cpe:/a:elasticsearch:elasticsearch</cpe>
   </suppress>
</suppressions>

Steps to reproduce:

  1. ./gradlew :dependencyCheckAggregate - build fails
  2. ./gradlew jar
  3. ./gradlew :dependencyCheckAggregate - build succeeds
  4. ./gradlew cleanJar
  5. ./gradlew :dependencyCheckAggregate - build fails again

Expected behaviour:

The packageUrl suppression should work without the sub-project's jar file being present in the build directory, so all three invocations of dependencyCheckAggregate should succeed.

Work arounds

  1. Specify an sha1 suppression. This is fragile and requires updating for every code change in the sub-project.
  2. Add a task dependency to ensure the sub-project's jar file is built before running dependencyCheckAggregate. This makes running the check on its own take longer. E.g.
tasks.named("dependencyCheckAggregate").configure {
  dependsOn(tasks.getByPath(":not-elasticsearch:jar"))
}

w33v1l avatar Oct 06 '20 10:10 w33v1l

Can you provide the build.gradle for not-elasticsearch as well?

jeremylong avatar Oct 06 '20 10:10 jeremylong

not-elasticsearch is empty, except for what is configured in the top-level build.gradle above (via the allprojects block). In other words, it has no separate build.gradle; the 3 files above are all that exist in the project.

w33v1l avatar Oct 06 '20 10:10 w33v1l